[Mailman-Developers] Virus sent to lists "from" my domain - add password for moderated users

[Chuq Von Rospach]

On Mar 15, 2004, at 10:53 AM, Arthur Gibbs wrote:

> Using Mailman 2.1.3, we have had problems with virus-generated 
> messages with
> spoofed senders getting through to a one-way list.

we got nailed by this, also. at work, where I'm still (sigh) on 2.0.x, 
it nailed a big list, but since I front it with demime, it was 
defanged. Here at home, on 2.1.5b1, even though it's supposed to strip 
that stuff (I thought), it got through, live. I haven't looked at that 
yet, hopefully today with more details.

A quickie solution:

set up your aliases differently:

foo: foo-admin
foo-post: (pointer to list posting interface)

then when you send the mail, do a:

to: foo
Bcc: foo-post

make sure the list isn't set to hold Bcc:ed posts, and it ought to go 
through fine, but be protected from viruses remailing to "foo" as your 
moderator.

(which brings up an interesting problem: I realized over the weekend 
we've been lucky that viruses haven't been taught to target mailing 
lists yet. Think about it -- how do we handle a situation where a tool 
watches the incoming e-mail stream for either a "sender" or "list-id", 
and then sends itself back to that list using the "from" address in 
that incoming message? My guess is most lists would let that stuff 
through very happily, and while some would defang any active content -- 
lots wouldn't.

and I don't have a good answer for that, not at all. not sure how to 
close that hole offhand. we made it easy to figure out it IS a list, we 
show an address that the virus can tell has posting privs -- and we do 
no validation that it's actually coming from that address. ugh)

\